Basics of Apple Device Security
Total Page:16
File Type:pdf, Size:1020Kb
AN OVERVIEW FOR MAC, IPAD AND IPHONE Basics of Apple Device Security SMALL BUSINESS A well-planned cyberattack or an accidental download of 2 malware can mean the difference between a productive day and all work grinding to a halt. As hackers get more sophisticated, organizations concerned about their bottom line and security of their customer, employee or student data must stay on top of security. This guide is for anyone that has been tasked with Apple security concerns, like all IT security concerns, are real. managing Apple devices in your organization and wants to get serious about their organizational While Apple has invested a great deal in its security features security of their Apple devices, and offers basic and has rapidly become the leader in device and data privacy information for newcomers or a simple refresher for and security, no operating system is immune to security Apple management veterans. challenges. This means that administrators must not only respond quickly to security issues, but also proactively guard against them. 3 The basic building blocks Several factors work together to ensure the security of your organization’s hardware and data, and you can break them down into six main areas: Securing devices Apple native security Data encryption Keeping your physical devices Security systems already built-in The basics of encrypting data at Introduction secure and protecting those to macOS, iOS and iPadOS rest and data in transit using them to Apple Page 4 Page 7 Page 6 Security Compliance Secure monitoring Application security deployments and patching Monitoring devices to pinpoint Deploying with the highest level needed updates Keeping up-to-date software of security available Page 8 Page 9 Page 11 4 Building Block One: Apple Native Security How to make the most of them with device management Security features already built in to macOS (operating system for Mac) amd iOS (operating system for iPhone) and iPadOS (operating system for iPad) are extensive and come with several benefits: Apple operating systems are based on a UNIX foundation, a very well-researched and developed foundation with excellent stability Strong OS security framework Device security in the form of locking and device finders Ability to implement and configure security controls through configuration options via mobile device management (MDM) An MDM solution can take these existing security configurations and deploy (and enforce) them to a large group of devices. So, you can set up not only one Mac or iPad securely, but thousands. You also have more expansive security controls with an MDM tool that can lock and wipe devices that are lost or removed from the facility. 5 Security feature details Native security features for macOS, iOS and iPadOS macOS Security Features iOS Security Features iPadOS Security Features 1 Software System Integrity Gatekeeper Software Secure System App Store Software Secure System App Store Updates Protection (SIP) Updates Updates App Store FileVault XProtect Touch ID Hardware App Touch ID Hardware App Encryption Encryption Sandboxing Encryption Sandboxing App Sandboxing Privacy Settings Privacy Supervision Remote device Privacy Supervision finder for lost devices 6 Building Block Two: Securing Devices Tracking, securing and protecting devices and users Securing or restricting devices manually: One of the simplest ways to damage an organization’s security or to compromise end-user’s safety is through access to a single Mac iPad and iPhone device. Whether your organization serves healthcare workers, remote staff, retail floor employees or frequent travelers — at any Require passwords on all devices Require passwords on all devices given moment your devices could be in twenty different places. Enable Find My Mac through System Enable Find My Phone through System Lost or stolen devices Preferences > iCloud Preferences > iCloud Depend on individual user to be able to sign Depend on individual user to be able to A lost or stolen iPad, iPhone or Mac isn’t just a financial loss: into iCloud and remember password sign into iCloud and remember password it’s a huge security risk. The damage can be incalculable: a Track all Mac serial numbers Report to Apple online if a device has thief manages to find private student data from a lost laptop or Report to Apple online if a device has been been lost or stolen accesses the entire organization’s database from that laptop. A lost or stolen Enable parental controls on an individual former employee who still has her work laptop making private Enable parental controls on the device to device, creating different accounts for information public or offering it to competitors. Even a malware block websites (Only affects Safari browser) each device introduction from a remote source. Set and deploy all Restrictions and security Set and deploy all Restrictions and features from first use or setup with Blueprints security features from first use or setup Devices get lost and stolen. Accidents and moments of Lock or wipe any lost or misused with Blueprints inattention happen, and planning with the assumption that the device centrally Lock or wipe any lost or misused question is only when someone will lose track of a device is vital. Set up password requirements to deploy device centrally to all devices Set up password requirements to deploy In addition, many devices — especially those shared by multiple Manage and push OS Updates centrally to all devices users — require safeguards against misuse, accidental discovery Manage and push OS Updates centrally of another’s data, or viewing of inappropriate content. 7 Building Block Three: Encrypting Data Disc or device encryption. MacOS already has built-in disk encryption: FileVault. You don’t have to add any additional software in To manually enable FileVault: order to encrypt a drive on a Mac. 1. Navigate to System Preferences > Security and Privacy > FileVault FileVault is FIPS 140-2 certified. That means Apple’s 2. Select the toggle switch to turn on the option from there encryption system meets the highest standards for 3. Repeat federal government encryption. You can enable FileVault manually or remotely: user To enable FileVault across your organization’s devices, leverage an MDM solution to automate, deploy and enforce encryption. You can deploy a Blueprint that will enable can choose the option themselves on one device, FileVault, and IT can retrieve encryption keys in case staff need to de-encrypt the or IT can enable FileVault (using Jamf Now) across device down the road. hundreds or even thousands of devices in one session. 1. Create a Blueprint through a simple selection of options within Jamf Now and select “Enable FileVault” as a setting Jamf Now ensures that encryption keys are centrally Deploy to as many devices as you’d like stored in case you need to uncover data, someone 2. leaves or someone forgets their password. 3. There is no step three With Jamf Now, if a device is enrolled and has FileVault enabled through the MDM, recovery keys are stored centrally on the device details page in case IT needs to gain access. What about an Encrypting iOS and iPadOS devices is even easier. iOS and iPadOS devices have built-in encryption as soon as a passcode is set. You can do this individually, or you can do it from Jamf Now, as well as setting up parameters for the passcode such as iPad or iPhone? length and complexity. 8 Building Block Four: Compliance Monitoring Ensure that protocols and controls are in place on all devices A security system is only as good as its weakest point. For the best coverage, administrators must monitor the organization’s devices to ensure that every device is updated, has received the most recent patches, and has the correct encryption options enabled. Monitoring compliance with Jamf Now: To ensure that all of your organization’s devices are protected Monitoring compliance manually: through Jamf’s inventory feature: To ensure that all of your organization’s devices are protected, you would need to constantly audit devices. 1. View up-to-date, real-time information on all devices simultaneously Physically track down each device 1. 2. Deploy updates and security configurations for any 2. Go into each option individually to ensure that device that is not secured properly Software updates are all current 3. Say it with us: there is no step three Encryption is enabled No one has introduced malware or a virus 3. As updates are only as good as the last update you performed, repeat The ability to see device details helps you know which updates to 4. And repeat send where, and which security features to configure. Blueprints based on department, permissions, device type, or any other 5. This will require constant vigilance and a great deal of buy-in and categorization method mean that you can be as targeted or all- cooperation from end users encompassing in updates as they you choose. 9 Building Block Five: Application Security and Patching Keeping up-to-date on patches and ensuring the safety of applications Application Security: Apple has made apps as safe as possible to download and use with the following features: It’s vital to know that They’ve adopted a sandbox model: each app lives in its own space and can’t interact with other applications. your applications don’t To allow apps to read or write to others’ shared data requires approval from the user or administrator. contain malware or Apps in the App Store have been vetted to alleviate security risk. This is the only way to get apps on an other hostile code. If iPhone or iPad, which controls security. Confining Mac users to the App Store for their apps is a way that administrators can control security device-wide.